Users of the SAP Invoice and Goods Receipt Reconciliation application accessing the data replicated from the SAP ECC system use SAP HANA studio users. There is no direct relationship between a user in ECC Server and the corresponding user in the SAP HANA studio accessing the analytic application. Therefore, it is necessary to configure various authorization-relevant settings in the SAP HANA studio to restrict access to the replicated data.
Prerequisites
You must ensure that users have the right level of authorization to access data replicated from SAP ECC, and that it is available in the analytic application. To do so, ensure that the following authorization-relevant settings have been made:
To enable access for users to the SAP Invoice and Goods Receipt Reconciliation application, an administrator has created users in the SAP HANA studio.
You have installed and activated the virtual data model views for ECC and SAP Invoice and Goods Receipt Reconciliation in the SAP HANA studio.
You have configured data replication between the ECC server and the SAP HANA server. For more information, see the Installation Information chapter in this guide, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba .
Settings for Business Users
Grant authorization to users that only need to access the analytic application as follows:
Create and assign analytic privileges to users for granting access to the following query views from the package sap.hba.apps.grircm.views:
GRIRAccountingDocumentQuery
GRIRClearingMonitorDigestQuery
GRIRClearingMonitorQuery
GRIRClearingMonitorStatusClearedQuery
GRIRClearingMonitorStatusOpenQuery
GRIRClearingMonitorStatusQuery
GRIRFiscalYearPeriodQuery
GRIRGoodsReceiptQuery
GRIRInvoiceReceiptQuery
GRIRNumberOfOpenItemsQuery
GRIRNumberOfPurchaseOrderItemsQuery
GRIROpenItemAgingQuery
GRIROpenItemQuery
GRIROwnUserContactDataQuery
GRIRPurchaseOrderClearingAgingQuery
GRIRPurchaseOrderHistoryQuery
GRIRPurchaseOrderItemDigestQuery
GRIRPurchaseOrderQuery
GRIRPurOrdHistoryWithDeliveryCostsQuery
GRIRStatusNumberOfPurOrdItemsQuery
GRIRUserContactDataQuery
GRIRUserDefaultContactDataQuery
GRIRVendorContactDataQuery
GRIRVendorDefaultContactDataQuery
SAPClientQuery
CompanyCodeQuery
As you can also call these views directly, it is best to at least restrict the authorization to SAPClient and CompanyCode. You can access the data for the value help (F4 help) of company codes that is shown in the Personalization screen of the SAP Invoice and Goods Reconciliation monitor by the view CompanyCodeQuery. You can access data for the value help (F4 help) of the client that is shown in the Personalization screen of the SAP Invoice and Goods Reconciliation monitor by the view SAPClientQuery.
SAP recommends that you create analytic privileges for the above query views with restrictions on the view attributes according to your business requirements.
Create and assign analytic privileges to users for granting full access to the non-query views consumed by the query views listed above. These views are part of the SAP Invoice and Goods Receipt Reconciliation virtual data model. Include the views listed below from the package sap.hba.apps.grircm.views:
GRIRAccountingDocument
GRIRClearingMonitor
GRIRClearingMonitorDigest
GRIRPurchaseOrderItemDigest
GRIRClearingMonitorStatus
GRIRClearingMonitorStatusCleared
GRIRClearingMonitorStatusOpen
GRIRFiscalYearPeriod
GRIRGoodsReceipt
GRIRInvoiceReceipt
GRIRNumberOfOpenItems
GRIRNumberOfPurchaseOrderItems
GRIROpenItemAging
GRIROpenItem
GRIRPurchaseOrder
GRIRPurchaseOrderClearingAging
GRIRPurchaseOrderHistory
GRIRPurchaseOrderHistoryWithDeliveryCosts
GRIRStatusNumberOfPurchaseOrderItems
GRIRUserContactData
GRIRUserDefaultContactData
GRIRVendorContactData
GRIRVendorDefaultContactData
Create and assign analytic privileges to users for granting full access to the non-query views consumed by the SAP Invoice and Goods Receipt Reconciliation Monitor application from SAP HANA Live for ECC. These views are part of the SAP HANA Live for ECC virtual data model. Include the views listed below from the package sap.hba.ecc:
AccountingDocumentType
AccountingPeriod
BKPF
BSEG
CalendarYearBasedVariant
CommunicationMediumTypeName
CompanyCode
Country
CreditControlArea
Currency
DunningArea
DunningBlockingReason
FinancialAccountType
FiscalFirstPeriod
FiscalYearBasedVariant
FiscalYearLastPeriod
FiscalYearPeriod
FiscalYearPeriodBeginDate
GLAccount
GLAccountInChartOfAccounts
GLAccountInCompanyCode
MaximumDunningLevel
PaymentBlockingReason
PaymentDifferenceReason
PaymentMethodForCountry
Plant
PlantName
PostedAccountingDocumentEntryView
ProfitCenter
PurchaseOrderHistory
PurchaseOrderHistoryCategory
PurchaseOrderHistoryDeliveryCost
PurchasingDocumentHeader
PurchasingDocumentItem
PurchasingGroup
SpecialGLCode
SpecialLastPeriod
SpecialPeriodWithDate
StorageLocation
UnitOfMeasureName
UserContactData
UserDefaultContactData
UserEmailAddressData
UserFaxData
UserMobilePhoneData
UserOfficeData
UserPhoneData
ValuationArea
Vendor
VendorCellPhoneData
VendorContactData
VendorDefaultContactData
VendorEmailAddressData
VendorFaxData
VendorPhoneData
Year
SAP recommends that you create one analytic privilege containing all non-query view references. The restriction for this analytic privilege must be empty, which means that this analytic privilege grants full access to the non-query views mentioned above.
When business users work with the application SAP Invoice and Goods Receipt Reconciliation, you must assign them SQL SELECT, UPDATE, and INSERT privileges for the following:
Schema: SAP_HBA
Catalog object: sap.hba.apps.grircm.db/GRIRCMSTATUS
SAP HANA database table: sap_hba_apps_grircm_db_GRIRCMSTATUS (this is delivered with the application)
The application checks the user’s SQL SELECT, UPDATE, and INSERT privileges, as well as the user’s read privilege while data is being updated. In this case, access is granted on row level.
Grant SELECT privilege on the following query views:
GRIRAccountingDocumentQuery
GRIRClearingMonitorDigestQuery
GRIRClearingMonitorQuery
GRIRClearingMonitorStatusClearedQuery
GRIRClearingMonitorStatusOpenQuery
GRIRClearingMonitorStatusQuery
GRIRFiscalYearPeriodQuery
GRIRGoodsReceiptQuery
GRIRInvoiceReceiptQuery
GRIRNumberOfOpenItemsQuery
GRIROpenItemQuery
GRIROwnUserContactDataQuery
GRIRPurchaseOrderClearingAgingQuery
GRIRPurchaseOrderHistoryQuery
GRIRPurchaseOrderItemDigestQuery
GRIRPurchaseOrderQuery
GRIRPurOrdHistoryWithDeliveryCostsQuery
GRIRStatusNumberOfPurOrdItemsQuery
GRIRUserContactDataQuery
GRIRUserDefaultContactDataQuery
GRIRVendorContactDataQuery
GRIRVendorDefaultContactDataQuery
SAP recommends that you do not grant SYSTEM user permissions to users accessing the SAP Invoice and Goods Receipt Reconciliation application, as this will give them full access to the data.
You can restrict access to data for users of the SAP Invoice and Goods Receipt Reconciliation application as follows:
By defining row-based access restrictions by analytic privileges on query views according to your requirements for data access control. For example, in the query view GRIRClearingMonitorQuery, you can assign the restriction on the attribute SAPClient in the analytic privilege. This ensures client isolation, which means that this analytic privilege grants access to view the data for that particular client only. If you do not assign any restriction on the attribute SAPClient in the analytic privilege, this analytic privilege grants access to view data for all clients.
In the analytic privilege, you can restrict the range of attribute values and their combinations that a particular user can see in the application.
Access to the SAP HANA view GRIROwnUserContactData, which is used in the application to retrieve the SAP ERP user maintained in the application for a given SAP HANA user, can be restricted as follows:
By assigning the appropriate row-based analytic privilege for the attribute “User”, you can ensure that a user has access to the correct SAP ERP user only. The contact data of the SAP ERP user is used in the application for outgoing calls if telephony integration is configured and enabled.
SAP recommends that you define the authorizations as SAP HANA roles, which can then be more easily assigned to existing and new users. Such a role can, for example, contain the necessary SQL privileges for accessing the query views and non-query views, and for assigning analytic privileges to the query views and non-query views.
You can define authorizations on the level of view fields. SAP delivers metadata, that is, authorization objects with the corresponding fields and activities, for the following views:
GRIRClearingMonitorDigestQuery
GRIRNumberOfOpenItemsQuery
GRIRPurchaseOrderclearingAgingQuery
GRIRClearingMonitorQuery
GRIRClearingMonitorStatusQuery
GRIROpenItemQuery
GRIRPurchaseOrderQuery
GRIRAccountingDocumentQuery
GRIRPurchaseOrderHistoryQuery
GRIRPurOrdHistoryWithDeliveryCostsQuery
GRIRPurchaseOrderItemDigestQuery
GRIRGoodsReceiptQuery
GRIRInvoiceReceiptQuery
GRIRVendorContactDataQuery
GRIRVendorDefaultContactDataQuery
GRIRClearingMonitorStatusClearedQuery
GRIRClearingMonitorStatusOpenQuery
This metadata is available in the SAP HANA Live Authorization Assistant. For more information, see the section SAP HANA Live Authorization Assistant under Privileges, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba .